For far too long, I’ve been encouraging my customers to pay careful attention to the security of their SD-WAN solutions. I’m not just speaking about providing security services as part of the SD-WAN. Yes, that’s critical, but even more important is ensuring your SD-WAN solution is hardened against attack.
We discussed those concerns two years ago at great length, warning that many SD-WAN appliances ran open source components with 80% having known Common Vulnerabilities and Exposure (CVEs), some more than a decade old. You simply can’t assume an SD-WAN CPE has an updated operating system or is running updated code
Sadly the issue hasn’t gone away. Testing by Sergei Gordeychik from a team of security researchers specializing in ICS/SCADA security uncovered numerous vectors attackers can exploit to penetrate SD-WAN solutions. One point that was particularly interesting was how SD-WAN images available in the Amazon marketplace are often out-of-date. Below are two slides from Gordeychik’s presentation that underscores this point:
What you can do
Given these other findings, I continue to encourage customers to carefully test the security of their SD-WAN implementation. Conduct penetration testing — it’s worth it. If you don’t have a firm to handle that testing, we can help you. The last thing you want to do after migrating over from MPLS to SD-WAN is to find that you’ve unknowingly opened a backdoor to your company’s network.
Also, make sure that once you’ve deployed your SD-WAN gear, a process is in place for applying patches and security updates. Some companies, particularly those running their own services, automatically update their SD-WAN appliance. Usually, though, applying updates are a customer’s responsibility. Where you go with a managed service provider (MSP), be sure to contractually obligate them to apply patches promptly.
The results of Gordeychik’s testing was presented in his 35C3 talk. Here’s where you can find the slides and over here is the video. If you need help assessing the security of your SD-WAN, you know where to find me.